colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tor-browser-bundle-bin: runtime purity improvements

Browse Source 
These changes reduce file accesses outside TBB_HOME or the Nix store, as
determined by running under strace -e access,open,stat.
This commit is contained in:
Joachim Fasting 2017-08-20 02:13:22 +02:00
parent c8f2dbae9f
commit f84125c3b1
No known key found for this signature in database
GPG Key ID: 66EAB6B14F6B6E0D
1 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix
View File

@ -38,6 +38,12 @@
# Pluggable transport dependencies # Pluggable transport dependencies
, python27 , python27
# Wrapper runtime
, coreutils
, glibcLocales
, hicolor_icon_theme
, shared_mime_info
# Extra preferences # Extra preferences
, extraPrefs ? "" , extraPrefs ? ""
}: }:
@ -45,7 +51,9 @@
with stdenv.lib; with stdenv.lib;
let let
libPath = makeLibraryPath ([ libPath = makeLibraryPath libPkgs;
libPkgs = [
atk atk
cairo cairo
dbus dbus
@ -62,6 +70,7 @@ let
libXt libXt
pango pango
stdenv.cc.cc stdenv.cc.cc
stdenv.cc.libc
zlib zlib
] ]
++ optionals pulseaudioSupport [ libpulseaudio ] ++ optionals pulseaudioSupport [ libpulseaudio ]
@ -70,7 +79,7 @@ let
gst-plugins-base gst-plugins-base
gmp gmp
ffmpeg ffmpeg
]); ];
gstPluginsPath = concatMapStringsSep ":" (x: gstPluginsPath = concatMapStringsSep ":" (x:
"${x}/lib/gstreamer-0.10") [ "${x}/lib/gstreamer-0.10") [
@ -225,12 +234,21 @@ stdenv.mkDerivation rec {
GeoIPv6File $TBB_IN_STORE/TorBrowser/Data/Tor/geoip6 GeoIPv6File $TBB_IN_STORE/TorBrowser/Data/Tor/geoip6
EOF EOF
WRAPPER_XDG_DATA_DIRS=${concatMapStringsSep ":" (x: "${x}/share") [
hicolor_icon_theme
shared_mime_info
]}
# Generate wrapper # Generate wrapper
mkdir -p $out/bin mkdir -p $out/bin
cat > "$out/bin/tor-browser" << EOF cat > "$out/bin/tor-browser" << EOF
#! ${stdenv.shell} #! ${stdenv.shell}
set -o errexit -o nounset set -o errexit -o nounset
PATH=${makeBinPath [ coreutils ]}
export LC_ALL=C
export LOCALE_ARCHIVE=${glibcLocales}/lib/locale/locale-archive
# Enter local state directory. # Enter local state directory.
REAL_HOME=\$HOME REAL_HOME=\$HOME
TBB_HOME=\''${TBB_HOME:-''${XDG_DATA_HOME:-\$REAL_HOME/.local/share}/tor-browser} TBB_HOME=\''${TBB_HOME:-''${XDG_DATA_HOME:-\$REAL_HOME/.local/share}/tor-browser}
@ -291,12 +309,22 @@ stdenv.mkDerivation rec {
# Setting FONTCONFIG_FILE is required to make fontconfig read the TBB # Setting FONTCONFIG_FILE is required to make fontconfig read the TBB
# fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024 # fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024
# indicates the system fonts.conf being used instead. # indicates the system fonts.conf being used instead.
#
# XDG_DATA_DIRS is set to prevent searching system dirs (looking for .desktop & icons)
exec env -i \ exec env -i \
TZ=":" \
TZDIR="\''${TZDIR:-}" \
LOCALE_ARCHIVE="\$LOCALE_ARCHIVE" \
\
TMPDIR="\''${TMPDIR:-/tmp}" \
HOME="\$HOME" \ HOME="\$HOME" \
XAUTHORITY="\$XAUTHORITY" \ XAUTHORITY="\$XAUTHORITY" \
DISPLAY="\$DISPLAY" \ DISPLAY="\$DISPLAY" \
DBUS_SESSION_BUS_ADDRESS="\$DBUS_SESSION_BUS_ADDRESS" \ DBUS_SESSION_BUS_ADDRESS="\$DBUS_SESSION_BUS_ADDRESS" \
\ \
XDG_DATA_HOME="\$HOME/.local/share" \
XDG_DATA_DIRS="$WRAPPER_XDG_DATA_DIRS" \
\
PULSE_SERVER="\''${PULSE_SERVER:-}" \ PULSE_SERVER="\''${PULSE_SERVER:-}" \
PULSE_COOKIE="\''${PULSE_COOKIE:-}" \ PULSE_COOKIE="\''${PULSE_COOKIE:-}" \
\ \